News

PhD positions

Written on 04.06.20 by Ben Stock

Hi all,

for those of you finishing their master's degrees soon, I want to point to the fact that CISPA has a couple of PhD positions open in the area of Web security. In particular, this is both in my group (see https://swag.cispa.saarland/jobs.html) and in the one of Cristian-Alexandru Staicu (see… Read more

Hi all,

for those of you finishing their master's degrees soon, I want to point to the fact that CISPA has a couple of PhD positions open in the area of Web security. In particular, this is both in my group (see https://swag.cispa.saarland/jobs.html) and in the one of Cristian-Alexandru Staicu (see https://www.staicu.org/job_post.html) who will be joining CISPA from October.

Even if you are not yet in the phase to consider the PhD, feel free to reach and discuss options with either one of us.

Exam inspection

Written on 23.10.18 by Ben Stock

The exam inspection for the backup exam is set for this Friday, October 26th, for 9 to 11am in CISPA's 0.07. 

Re-Exam Results

Written on 11.10.18 by Ben Stock

... are online. 

Re-Exam Schedule

Written on 09.10.18 by Ben Stock

As already indicated, the backup exam will happen on Thursday, 10-12. It will be held in GHH, please find the seat map here.

We will try to be quick about grading, but due to travels, the exam inspection will not happen before October 23rd. The date will be announced separately at a later date.

Re-Exam Tutorial

Written on 04.09.18 by Sebastian Roth

Hi all,

The Re-Exam preparation tutorial Doodle has spoken. The tutorial will take place on Tuesday 25th September, 14-16 o'clock in the CISPA Lecture Hall.

Much to our regret, no one has used the opportunity to suggest topics via the askbot… Read more

Hi all,

The Re-Exam preparation tutorial Doodle has spoken. The tutorial will take place on Tuesday 25th September, 14-16 o'clock in the CISPA Lecture Hall.

Much to our regret, no one has used the opportunity to suggest topics via the askbot (https://cms.cispa.saarland/askbot/websec18/question/287/topics-for-the-re-exam-preparation-tutorial/). Nevertheless we will address the topics from the main exam which have a low average number of points as well as other frequent flaws.

Looking forward to see you all at the tutorial!

Re-Exam Preparation Tutorial

Written on 20.08.18 by Sebastian Roth

We want to offer a special Re-Exam preparation tutorial.
In this tutorial, we will address topics from the main exam which have low average points as well as frequent flaws.
To find a suitable timeslot as well as getting an approximation for the demand, please fill out the following Doodle.
Read more

We want to offer a special Re-Exam preparation tutorial.
In this tutorial, we will address topics from the main exam which have low average points as well as frequent flaws.
To find a suitable timeslot as well as getting an approximation for the demand, please fill out the following Doodle.
https://doodle.com/poll/c4dw7hdxagppr6mc
If there are any topics that you would like to be explained in detail during the tutorial please write them in the associated thread in the Askbot (https://cms.cispa.saarland/askbot/websec18/question/287/topics-for-the-re-exam-preparation-tutorial/) or upvote them if they are already present.

Exam results and inspection

Written on 18.07.18 by Ben Stock

The exam results are now visible in the CMS. You can find the exact points for each of the tasks as well as the grade table there. The inspection will be on Friday, 9-11, most likely (and unless your hear otherwise) in CISPA's room 0.07 (meeting room next to the foyer). 

If you cannot make it due… Read more

The exam results are now visible in the CMS. You can find the exact points for each of the tasks as well as the grade table there. The inspection will be on Friday, 9-11, most likely (and unless your hear otherwise) in CISPA's room 0.07 (meeting room next to the foyer). 

If you cannot make it due to another exam, please write me an email such that we can arrange a separate slot.

Good night (*yawn*)!

Seat Key uploaded

Written on 17.07.18 by Ben Stock

The seat assignment for tomorrow's exam is now available at https://cms.cispa.saarland/websec18/dl/41/Seat_map.pdf

The seat map will also be posted on the door and all exams have the matriculation numbers and names of the student on them.

Hardware issues with screecher installations / gitlab

Written on 14.07.18 by Ben Stock

Hi all,

just in time there now is HDD issue with our VM host, which needs to be fixed by the CISPA admins. I hope this will be fixed on Monday, but to avoid any additional integrity damage, I have taken offline the VMs and gitlab for now. Since you should all have your own git repositories locally,… Read more

Hi all,

just in time there now is HDD issue with our VM host, which needs to be fixed by the CISPA admins. I hope this will be fixed on Monday, but to avoid any additional integrity damage, I have taken offline the VMs and gitlab for now. Since you should all have your own git repositories locally, I hope this does not interfere with your exam preparation

Evaluation results

Written on 11.07.18 by Ben Stock

Sadly, just a couple hours to late, the evaluation results have arrived. They are available at https://cms.cispa.saarland/websec18/dl/39/Evaluation_results.pdf

First of all, thanks for the positive feedback. It seems like many of you enjoyed the course as much as I did. Thank you also for suggested… Read more

Sadly, just a couple hours to late, the evaluation results have arrived. They are available at https://cms.cispa.saarland/websec18/dl/39/Evaluation_results.pdf

First of all, thanks for the positive feedback. It seems like many of you enjoyed the course as much as I did. Thank you also for suggested improvements. I want to address a couple of them here:

  • As for the exercise bugs, these were related to us developing screecher alongside the lecture, which is kind of fixed "by design" for the next iteration.
  • The assignment of teams is a known issue: scaling things up to 60 VMs seems infeasible (also for grading reasons), and reducing the course to 30 people would have left half of you not attending the lecture :) More tutors are not really an option, as we get no funding from the university for advanced lectures.
  • I doubt that there will be a script, but we can add comments about related books.

Thanks again for those items. We will try to incorporate the feedback in the next iteration!

Grading for #9 / Note on #10 / Q&A lecture

Written on 05.07.18 by Ben Stock

The grading for sheet 9 is online since last night. As in the previous weeks, please approach me if you have questions regarding the grading/feedback.

For sheet 10, please note that you naturally have another key than we do for the CRIME attack. Hence, just giving you key from the config is… Read more

The grading for sheet 9 is online since last night. As in the previous weeks, please approach me if you have questions regarding the grading/feedback.

For sheet 10, please note that you naturally have another key than we do for the CRIME attack. Hence, just giving you key from the config is pointless. Also, if you run into trouble with the attack, try to make sure that you add more redundancy to your message to best leverage the compression oracle.

Last, but not least, regarding the Q&A lecture: as this requires a bit of preparation, make sure that all your desired topics and votes are in the Askbot before Tuesday, 8am. After that, I will feel free to ignore any additional questions coming in, to make sure that those questions asked early are being addressed properly in the lecture.

Exercise sheet #7 graded / Note on exercise sheet #8

Written on 14.06.18 by Ben Stock

The grading for exercise #7 is now stored. If you have questions, please direct them to me and not Sebastian.

For sheet 8, please note that your solution must still work with our checkers which use python requests. We have had some issues related to encodings of cookies - so please make sure that… Read more

The grading for exercise #7 is now stored. If you have questions, please direct them to me and not Sebastian.

For sheet 8, please note that your solution must still work with our checkers which use python requests. We have had some issues related to encodings of cookies - so please make sure that your fix not only works for Chrome, but that our checker is satisfied :) 

Note about current exercise sheet

Written on 13.06.18 by Ben Stock

For OwlCash, you must not completely remove storage of the information about the last mined block on the client. You have to fix the issue in some other way :)

Questions for the exam preparation

Written on 11.06.18 by Ben Stock

To allow for optimal scheduling of time in the Q&A lecture, please use the Askbot to note things you would like to see covered (and upvote those that others asked and you want to have addressed)

Grading finished for sheet #5 / Feedback for lecture and exercise

Written on 08.06.18 by Ben Stock

I have finished the grading for sheet 5 and the results are in the CMS. If you have questions about your points, please direct them to me and not Sebastian.

Moreover, next week is the evaluation week for all courses. I will distribute the evaluation sheets in the middle of the lecture - this way… Read more

I have finished the grading for sheet 5 and the results are in the CMS. If you have questions about your points, please direct them to me and not Sebastian.

Moreover, next week is the evaluation week for all courses. I will distribute the evaluation sheets in the middle of the lecture - this way you get a break and have fun evaluating :-) If possible, please think of things you want to improve in advance, such that you already have those things in mind when you come in.

Grading for exercise #6 online

Written on 07.06.18 by Ben Stock

The grading for exercise #6 is now stored. Please note that I did not leave individual feedback, since the correct answers are shown in the example solution. If you have questions, please direct them to me and not Sebastian.

Note on Exercise #7

Written on 07.06.18 by Ben Stock

You must not use stacked queries (i.e., multiple queries separated by a semicolon) for any of the tasks. Moreover, please note that any modification of the existing data is forbidden by the rules of the exercise sheet. 

Less points for Sheet #6

Written on 07.06.18 by Ben Stock

As discussed in the lecture, I did not do a good job explaining the allow-same-origin necessity for the Twitter iframe. I have therefore decided not to grade 1g) of Exercise sheet #6, so as to not punish anybody who did not get this right. Therefore, the sheet only has 28 points now.

Grading of exercises / Gameserver feedback / no lecture next week

Written on 18.05.18 by Ben Stock

Since not all of you attended the tutorial today, let me fill you in on a couple of things:

  • The gameserver only checks one specific exploit. Just because this does not work anymore does not mean that your fix was correct, only that our one exploit stopped working. Please double check your code… Read more

Since not all of you attended the tutorial today, let me fill you in on a couple of things:

  • The gameserver only checks one specific exploit. Just because this does not work anymore does not mean that your fix was correct, only that our one exploit stopped working. Please double check your code to see that the flaw is actually gone (e.g., by attacking it with your own exploit).
  • We have deducted points from answers that are not brief. We don't this out of spite, but rather to give you feedback that an answer was too long. We do this now where it does not hurt too much, rather than having you answer only half the questions in the exam in a verbose manner, not allowing you to have time for any other tasks.
  • Starting from sheet #4, you'll get brief feedback on why we deducted points via CMS. If you still feel the need to discuss any specifics with Sebastian, today's slides show his office hours.

Last but not least: there will be no lecture next week. This is why this week's sheet has 60 points and is due on May, 30th.

Bug in Exercise 5 Task 3 CSP

Written on 16.05.18 (last change on 16.05.18) by Sebastian Roth

There is an error present in the CSP Task. We are currently working on a fix which will be pushed in your repositories ASAP.

Sorry for that inconvenience.

Slight change to exercise task

Written on 15.05.18 by Ben Stock

Please make sure that in your submission, you include a link to the merge request (e.g., https://gitlab.websec.saarland/team25/screecher/merge_requests/2). This allows us for an easier grading (not requiring us to look up the team ID first and so on).

Exercise submission

Written on 07.05.18 by Ben Stock

Since I saw this with some of the already submitted exercises: please read the instructions carefully! You must provide the hash of the commit you want us to consider for the fixed version as well as the exploits. Also, create a merge request in Gitlab for your changes once you are done. 

If the… Read more

Since I saw this with some of the already submitted exercises: please read the instructions carefully! You must provide the hash of the commit you want us to consider for the fixed version as well as the exploits. Also, create a merge request in Gitlab for your changes once you are done. 

If the commit hash is missing from the uploaded PDF, we will not consider any code in the Git repository. Please make sure that you understand all instructions on the sheet. If not, please state your questions on Askbot for us to answer (and all others to see).

Updated exercise sheet and git

Written on 02.05.18 by Ben Stock

Due to a last minute change in our implementation, there was a bug in the exercise. I have uploaded a new version to the git. If you have already started your work, please rebase your development branch to the new master. If you have not, I have just updated your deployed version in the VMs for you.

Updated lecture slides and questions regarding Git

Written on 02.05.18 by Ben Stock

I have uploaded a new version of the lecture slides, which fixes a couple of typos.

Also, if you have questions about how to use Git or the workflow, please state them in the Askbot. Many things can likely be answered by your fellow students. Since this question already came up: you cannot push… Read more

I have uploaded a new version of the lecture slides, which fixes a couple of typos.

Also, if you have questions about how to use Git or the workflow, please state them in the Askbot. Many things can likely be answered by your fellow students. Since this question already came up: you cannot push changes to the master branch. This is so that when submitting your solution, you can create a merge request, which we can use for grading. Please branch before changing anything (if you have questions about this, ask them in the Askbot or on Friday).

Tutorial on Friday

Written on 02.05.18 by Sebastian Roth

Hey,

The Doodle has spoken! Thus the Tutorial will take place on Friday 10-12 at the CISPA Lecture Hall.

I will explain topics regarding the current project, answer questions, and if there are solutions I will present them to you.

See you Friday,

Sebastian

Tutorial Doodle

Written on 25.04.18 by Sebastian Roth

To find a date that suits most of the students, please fill out the following doodle:
https://doodle.com/poll/h5a9kut2w5pt5mg5

Exercise Sheet 2 Task 5 changes

Written on 22.04.18 by Sebastian Roth

There is a small error in Exercise Sheet 2 Task 5 JSONP.

Please ignore the "in 1-2 sentences" part of this Task.

Sorry for that inconvenience.

Gitlab for Exercises

Written on 19.04.18 by Ben Stock

For the exercises, we will use Git, specifically Gitlab to a) deploy new tasks to your VMs and b) have you submit your solutions (fixes and attacks) as pull requests. Please go ahead and register yourself in https://gitlab.websec.saarland. For now, you will not be able to access any groups or create… Read more

For the exercises, we will use Git, specifically Gitlab to a) deploy new tasks to your VMs and b) have you submit your solutions (fixes and attacks) as pull requests. Please go ahead and register yourself in https://gitlab.websec.saarland. For now, you will not be able to access any groups or create projects. Please use the email address you use for CMS and provide your real name when registering.

No recording / Team assignment

Written on 18.04.18 by Ben Stock

As I feared, the snafus in the media controls also resulted in the lecture not being recorded. We'll try again in two weeks.

More importantly: please find your team partners until April, 25th and mail your team info to Sebastian. Whoever does not name their team or at least indicate that they want… Read more

As I feared, the snafus in the media controls also resulted in the lecture not being recorded. We'll try again in two weeks.

More importantly: please find your team partners until April, 25th and mail your team info to Sebastian. Whoever does not name their team or at least indicate that they want to participate but have not found a team mate yet will not be able to take part in the practical exercises (i.e., will not reach the required points for admission to the exam).

Bug in exercise 1

Written on 11.04.18 by Ben Stock

Hi all,

there was a minor issue with the exercise: there was a task on it which we did not cover in the lecture. This is due to a slight change in topic for the first lecture. Please find the updated version of the sheet online now (there is just one less task :)).

Best Regards

 Ben Stock

Show all

The course is full, unless you are already registered, you will have to wait until next year.

Web Security

The lecture will take place every Wednesday from 10-12, starting April 11th.

More information on the lecture will be become available later on.

Exams 

  • Main exam: 18.7.2018, 10-12 (Room TBA)
  • Backup exam: 11.10.2018 10-12 (Room TBA)

Exercises 

After each lecture, you will be assigned exercises. These will typically consist of both theoretical questions and practical problems.

To be admitted to the exam, the following two criteria need to be fulfilled:

  • On average, you reach 50% of all available points for all exercise sheets.
  • On each exercise sheet, you reach at least 25% of the points. You may only skip up to 2 sheets altogether (or get less than 25% of the points on them).

Naturally, if a student is sick and therefore unable to submit their sheet, the sheet will not be considered. This only holds true if:

  • The student is reported sick by a doctor's note on the day of the submission
  • The doctor's note is submitted before or right after the submission deadline. At the very least, inform the tutor about the fact that you are sick.
Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.